3 min read

Attacks on PDF Certification and the impact on Approval Signatures

Picture of Thomas Pedersen Thomas Pedersen : 20. July 2021

eIDAS Signer WYSIWYS
Attacks on PDF Certification and the impact on Approval Signatures


In May 2021, researchers published two attacks on certified PDFs, which enabled unintentional and fraudulent modifications to be applied to signed documents. Here we provide a brief summary of the attacks and explain why documents that are digitally signed using Cryptomathic Signer and its WYSIWYS technology is not susceptible to these attacks.

The Attack

The attacks apply to "certified" PDF documents. A certified PDF document is a PDF document with a digital signature that serves as a certificate of the content of the document. A certified document allows certain modifications to be made after the certification. A typical use-case of certified documents is a questionnaire where the form itself is certified, but a questionee is allowed to fill in answers to the questions without invalidating the certification signature.

The webpage https://pdf-insecurity.org/ is dedicated to these attacks and gives good explanations of the attacks as well as analysis of the impact on several of the most popular PDF readers.

Certification signatures and the allowed modifications to certified documents are described in the PDF standard (ISO 32000). Though the intention of the allowed modification is to allow additional content in the certified document, some of the allowed modifications can be abused to change existing content.

The "FreeText" annotation, for instance, allows additional text anywhere on a page. This could be abused to change a billing amount from $100 to $100,000.

Any additions to the certified document are made as "annotations" that are added to the document. By looking at the certified file, it is thus simple to see the difference between the original document and any additions made after certification. The attack occurs because some PDF viewers provide no visible indication that allows the user to identify added content. A "safe" PDF viewer will clearly indicate what content has been added, either directly in the viewer, or in status or information panels.

The Impact on Approval Signatures and WYSIWYS

Cryptomathic Signer implements “What You See Is What You Sign” (WYSIWYS) technology, which applies "approval signatures" to PDF documents. In contrast to certification signatures, approval signatures do not allow any modification to the main document after signing (additional signatures, timestamps, e.t.c. are allowed). WYSIWYS guarantees that what the signee sees when s/he signs the document will also be what anyone else sees in the future when they open the signed document.

The WYSIWYS technology, used by Cryptomathic Signer, can give this guarantee since it insists on PDF documents adhering to the PDF/A 2 standard.

The PDF/A 2 standard does not allow any content that can change over time or from PDF viewer to PDF viewer. Even when a certified document is signed with WYSIWYS, WYSIWYS ensures that no further changes can happen to the certified document after an approval signature has been applied through WYSIWYS.

While WYSIWYS will happily render a certified document that has been updated with elements as suggested in the attack, it is important to note that the visual representation given by WYSIWYS at the time of signing is identical to the visual representation of the document at any future time. From the point of view of WYSIWYS, there is no difference between content that is added before or after the certification. Any certification flow that is required by the document must take place before WYSIWYS is involved. Finally, it’s also worth noting that WYSIWYS itself does not validate any certification signature. 

In summary, PDFs signed with digital signatures created by Cryptomathic Signer are not endangered by these attacks. Contact us for more information on how Cryptomathic Signer protects against attacks on digital signatures.

Download white paper

References